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Quagmire 



• Authentication vs Authorization 

• How many identities do we have? 

Facebook's Zuckerberg: "Having 
two identities for yourself is an 
example of a lack of integrity" 

•Trust 




To trust is good; 
not to trust is better" 

Italian proverb 




• MA Two Factor Scheme 

• VANguard Mk I 
•AGOSPMkl i 

• Trust Centre 






&i 



itftt 



OpenID 



Is? 1 - 













I 




Sxfpper 



a 



NATIONAL STRATEGY FOR 

TRUSTED IDENTITIES 
IN CYBERSPACE 



Enhancing Online Choice, Efficiency, 
Security, and Privacy 



APRIL 2011 







Special cases 



Kantara Initiative study: 
Implemented Trust Frameworks 

http://kantarainitiative.org/confluence/displav/bctf/ 
I mplemented +Trust+F rameworks 

BankID Scandinavia 
AAF & other tertiary ed 
US Federal PKI 
Octopus 



Intuition 




Flawed intuition 



If I am known 

by one service provider 

then I should be 

knowable by others 

automatically 




Dodgy metaphors 



Passport 

Silo 

Digital Identity 

"A set of claims made by one 
subject about itself or another 
subject" Laws of Identity 




"Interoperability is something of a 
will-o'-the-wisp. You think you 
understand what people mean by it, 
and then quickly realise you don't. 
In my experience, it's possible when 
discussing interoperability to be at 
cross-purposes all of the time. " 

Peter Smith, APCA ; 2000 




Risk is in the eye of beholder 
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Strength of Authentication Mechanism 





LOA (risk) =lmpact X Prob % 





Severity 


Likelihood 


Insignificant 


Minor 


Moderate 


Major 


Severe 


Almost certain 
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Butimpactis idiosyncratic \ 











Type 


Severity 




Consequence rating 


Insignificant 


Minor 


Moderate | Major 


Severe 




Release of personally 
or commercially 
sensitive data without 
consent 


No impact 


No 

significant 

impact 


Measurable 
impact, breach 
of regulations 


Significant 
impact 


Major 
consequences 




Financial loss to 
any client or third 
party 


No loss 


Minimal 


Minor 


Significant 


Substantial 




Risk to any party's 
personal safety 


No risk 


No risk 


No risk 


Any risk to 
personal safety 


Threat life 
directly 









What problem 

are we trying to solve? 



Credentica U-Prove 



"Prove unanticipated properties of 
protected identity assertions" 



"It's deja vu 
all over again" 

Yogi Berra 



"e-business was going to release 
a massive pent-up demand for 
stranger-to-stranger commerce. 

"But truly un-vetted business 
introduction is rare" 



Trust Services -A Market Appraisal 

Rohan Freeman 2002 
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Circles I 






• Friends 

• Family 

• Work mates 

• Professionals 
•Alumni 

• High School Reunion Effect 





Id is proxy for relationship \ 



Steve Wilson 



Best Sec PtyLtd 

Acme Bank 

Acme Bank 

Visa 

IHI 

Uni of Trees' 

Telco 

Passport 




123456 

4682749275 

3433309128 

4509 1234 5678 901 

50-345674-01 
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A5559! Corporate car 



CONTRACT 

Term 
Authority 
Accoiyffe 
100 ptCflck 
C redit clraks 



Legisjatioi 
QdMn 
(PIN r 



New Employei 
Login ^/OTI^ 
Keys | Scheme rules 



Legislation 



"All identity is 'local'. 
The further away from a pre- 
specified business context an 
identity credential becomes, 
the less valuable it is" 

Darryl Greenwood 2002 



Complicating generalisations | 



Relying Parties 

ABC 



.© 



Present 
security token 



lb to 



Policy 



- tffe ^ et 5ecunt V token 
M9 requirements 



Select desired 
identity by choosing 
an (nformatton Card 
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Identity Providers 
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Authenticate 
and get 

security token 




<ataon Cards 
from platform-specific 
identity selectors 



Simplifying assumptions 



• There are few total strangers 

• There are few surprises 

• Relying Party is often the Id Provider 



// 



sn't 
closure 
a good 
thing? 



// 





"Things are the way they are 
because they got that way" 

Gerald Weinberg 




Authentication Family Tree 





Challenge- 
Response 
Calculator 



.Matrix Card 
SMS Time Sync Token 
OATH Token 
, TAN Card 




Challenge- 
Response 
Calculator 



Retina 

Hand 
Vascular 

Fingerprint 
(Wipe) 
Fingerprint 
(Planar) 



Matrix Card 
SMS Time Sync Token 
OATH Token 
TAN Card 




Challenge- 
Response 
Calculator 



Retina 

Hand 
Vascular 

Fingerprint 
(Wipe) 
Fingerprint 
(Planar) 



Health Cards 
National ID 
Chip-and- 



Staff Cards 



^-Passport 
SIMs 



Smart phones 
PDAs 
Set-top Box 




Roaming 
Soft Certs 



Soft Certificates 



Selection pressures 



Security 

Fraud 

Convenience, accessibility 

Basel II, KYCAML/CTF 

Professional standards 

Electronic Verification 

Single view of customer, of patient 

Privacy 
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Identity is memetic 



i in i 




Existing ecosystems 



Banking 
Retail 

Employment 
Corporate regulations 
Tertiary education 
Healthcare delivery 
The professions 




Artificial ecosystems? 








Predictions 




Linkedln identity will thrive 

Bank ids will resist federation (KYC) 

NSTIC will fall short of expectations 

No "choice" of IdPs at higher LOAs 

Liability allocation will require 
government intervention 

Memetic diversity will be vital 



Conservation of identity | 

• Context is king 

• Identity-in-context ^Authorization 

- identity as an employee 

- identity as a personal baking customer 

- identity as a corporate banking customer 

• Higgins R-Cards 

• Gatekeeper Relationship Certificates 
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Relationship Certificates 



// 
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e-Prescription 

Patient name - - 
Med - - - 
Dose — 
Repeats — 



Transaction 



Context 
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Credentials 

Subject: Dr Smith 
Ext: Lie No. xyz 

Org 
Policy OID: - - 
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User Certificate 




Health Org CA 

Subject: Health C 
Validity: - - - 
Issuer: Root CA 
Policy OID: - - - 



Public Key: 
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CA Certificate 



Next steps 




No new artificial ecosystems 

S h ift th i n ki ng to relationships 

Keep it simple 

PKI to conserve {identity +context) 

Research: phylomemetics of identity 



Conclusion 




If the hard part of any Internet project 
is not technology 
but business processes, change 
management, people and legal ... 

Then let's stick to the tech 
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y^. 




Ml SrtrtitT 

SE§£K£S100 



http://lockstep.com.au 
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